The finding relates to a potential vulnerability in the deposit and withdrawal process GMXVault.sol involving GMX and GMXVault.sol Specifically, when a deposit request is denied on the GMX side, it triggers a callback in the GMXVault.sol contract. Within this callback function, the leverage amount is repaid,
and the attacker set in the deposit request receives native tokens. However, if the attacker request reverts when receiving these tokens, it causes the entire transaction to revert. Additionally, vulnerabilities can arise if a user is blacklisted by USDC token contracts, an attacker can do this intentionally to drain the lending pool.
Deposit Denial Handling: When a deposit request is denied on the GMX side, the callback function in VodkaV2GMXHandler is invoked. In this function, the leverage amount is repaid, and native tokens are transferred to the user initiating the deposit request.
User Reversion: If the user reverts during the receipt of native tokens, it results in the entire transaction being reverted. This means that the funds intended for repayment are not transferred, potentially causing a loss of assets.
Blacklisting Vulnerability: Users can be blacklisted by USDC token contracts. Blacklisting specific addresses at the contract level can lead to failures in transfers to or from those addresses.
The potential impacts of these vulnerabilities include:
Loss of assets when deposit requests are canceled on the GMX side and users revert during the receipt of native tokens.
Disruption of token transfers for blacklisted addresses, which can affect the functionality of the system and user experience.
To mitigate these vulnerabilities, the following recommendations are proposed:
In https://github.com/Cyfrin/2023-10-SteadeFi/blob/1841efff70defe305d53a850c49acffda788a401/contracts/strategy/gmx/GMXDeposit.sol#L213 Wrap Token Transfers in Try/Catch Blocks: When transferring tokens to users, wrap the transfer operation in a try/catch block to handle errors gracefully. This prevents transaction reversion due to user reverts.
Check for User Blacklisting: Implement checks to verify if the receiver of USDC tokens is not blacklisted. This check can help ensure that token transfers to and from users' addresses proceed smoothly, reducing potential disruptions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.